Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


garlin said:
It's great that Lenovo has refreshed the BIOS (even this late in the game), and tried to make the UI more presentable. I believe Acer has a round of BIOS updates scheduled for mid-June.
Click to expand...
@garlin I just noticed that updating the T490 UEFI BIOS to 1.85 Enabled VBS which was previously OFF under version 1.84. The 5/31 version of your check script now shows it ON and the optional SkuSiPolicy.p7b missing. Should I now install this and if so, how? Will this affect my USB boot drives? Should I just turn OFF VBS since it was off anyway prior to the 1.85 update?

PowerShell 7.6.2
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

[OPTIONAL] SkuSiPolicy.p7b (for VBS) is MISSING.


STATUS REPORT
-------------
Registry: "UEFICA2023Status" = Updated

SUCCESS: UPDATES ARE FINISHED.
UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

PS C:\Windows\System32>
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled. Secure Boot CA 2023 updated.
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled. Secure Boot CA 2023 updated.
nikki605 said:
@garlin I just noticed that updating the T490 UEFI BIOS to 1.85 Enabled VBS which was previously OFF under version 1.84. The 5/31 version of your check script now shows it ON and the optional SkuSiPolicy.p7b missing. Should I now install this and if so, how? Will this affect my USB boot drives?
Click to expand...
While SkuSiPolicy is recommended, it's still optional for the very reason that it can block some boot devices (USB drives). Don't add the policy file if you don't feel comfortable about trying to fix your USB drives.

Sometimes a BIOS update will unlock more HW security features, and Windows will recognize those changes and automatically enable VBS for you. There are different shades of VBS policy rules, depending on what your HW supports.

It's sort of like BitLocker (or Device Encryption on Windows Home). Originally the security requirements were very strict, and few PC's supported it. But then MS adjusted the requirements and PC vendors added more HW features, and so now BitLocker is more likely to be turned on by default.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
While SkuSiPolicy is recommended, it's still optional for the very reason that it can block some boot devices (USB drives). Don't add the policy file if you don't feel comfortable about trying to fix your USB drives.

Sometimes a BIOS update will unlock more HW security features, and Windows will recognize those changes and automatically enable VBS for you. There are different shades of VBS policy rules, depending on what your HW supports.

It's sort of like BitLocker (or Device Encryption on Windows Home). Originally the security requirements were very strict, and few PC's supported it. But then MS adjusted the requirements and PC vendors added more HW features, and so now BitLocker is more likely to be turned on by default.
Click to expand...
I think I will leave it set the way it is and not fool with SkuSiPolicy.p7b since I have a Macrium 8 Free boot USB drive that works after running your Update Script using -BootMedia. This is what SysInfo shows right now:

VBS.webp

Thanks for the info.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled. Secure Boot CA 2023 updated.
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled. Secure Boot CA 2023 updated.
The row "Available Security Properties" represents what the HW can do. Not everyone will have the same list of attributes.

Hypervisor enforced Code Integrity (HVCI) is the highest level of security Windows can provide. It builds a VM security layer inside Windows to protect Windows from driver-based tampering.
 

My Computer

System One

  • OS
    Windows 7
@garlin
I'm thinking of trying to apply SkuSiPolicy.p7b on my Dell 3910 and Surface 9 Pro where I use Macrium X
I've already applied it on the older computers where I use Veeam Agent for Microsoft Windows Free and updated the boot media with bcdedit, and it all works without issues.
So I was thinking that it will probably work on my Dell and Surface, but just in case I want to know how to revert it if I need to.

I have read this web page from MS Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates

They mention that you can revert the policy by simply: (PS: I do not use BitLocker)
  • Disable Secure Boot in BIOS
  • Boot Windows
  • Remove SkuSiPolicy.p7b from EFI partion
  • Enable Secure Boot in BIOS
  • Restart device
But when I look at your "Clear-UEFI_Lock.bat" you do a bunch of things to unlock the UEFI.

Code: 
@echo off
mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d

Is what you do in your script taken care by the "disable Secure Boot" in MS instrcutions ?
What am I missing or what is MS not telling in their documentation...
 

My Computer

System One

  • OS
    Windows 11
Virtualization Based Security (VBS) and Code Integrity are umbrella terms for a set of kernel-level security features sitting on top of Secure Boot. If you have Secure Boot enabled, it guarantees a certain baseline of security (booting from a trusted Windows file) and VBS checks if your CPU has specific security features available at the HW level.

After recognizing these HW features are available, VBS/CI can then operate in certain ways because they know those HW features can assist them in maintaining system integrity (tamper proofing).

Normally these features are managed at the UI level (from the Security Center) or by GPO or reg values. The problem with GPO's or reg values is an attacker could gain admin rights and silently disable DeviceGuard (VBS) or CredentialGuard (LSASS). If you have HW support, Windows can transfer control over enabling/disabling these features to the UEFI. Instead of allowing an attacker to change settings on the running Windows, Windows will consult the UEFI variables at boot time and decide whether to run in enhanced security mode.

This is the "UEFI lock". Control over running DeviceGuard or CredentialGuard is determined by UEFI settings, and not by Windows. Which means if you want to return control back to the user, the UEFI lock must be cleared.

A special bootable EFI file was created, which can be queued and executed by the boot manager. This program confirms if you want to remove the UEFI lock. Because the EFI app requires human input (you must hit F3 to confirm), it can't be scripted by attackers.

The batch file follows the MS directions to make an one-time change to the boot manager, and boot into the EFI security tool. After the EFI program exits, we return to our normal boot settings. So if you fail to hit F3 and cancel out, there's no way to return. You must run the script again to add another on-time boot record as before.

Disable Credential Guard with UEFI lock

In the past, you wouldn't have to worry about these matters because only highly technical security pros would manage these settings. But with a new focus on improving Windows baseline security, it's far easier on modern CPU's to have all of these protections activated by default. You didn't decide to enable UEFI lock, but Windows did because your PC matched the higher HW requirements.

Do you need this batch file to help remove the SkuSiPolicy file? No, but it's useful in cases when UEFI lock is detected and you want to disable the lock. All the lock does is take the option to disable security away from Windows, and hide the setting in the UEFI variables.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
Do you need this batch file to help remove the SkuSiPolicy file? No, but it's useful in cases when UEFI lock is detected and you want to disable the lock. All the lock does is take the option to disable security away from Windows, and hide the setting in the UEFI variables.
Click to expand...
Thanks for the explanations.
So...
  • Apply SkuSiPolicy.p7b with your update script, flag -SkuSiPolicy
  • Build new WinRE Macrium X boot media and patch it with bcdedit
  • Test to see if it works
    • Works: great, done !
    • Fails: copy SkuSiPolicy.p7b to EFI\Microsoft\Boot on Macrium boot media
      • If still not working, revert SkuSiPolicy.p7b changes on Windows
        • Remove SkuSiPolicy.p7b from Windows EFI partition
        • Run UEFI unlock script and reboot to press F3 to confirm
Did I get it right ?
 

My Computer

System One

  • OS
    Windows 11
You don't have to copy the SkuSiPolicy file to the USB drive. There's no point in trying to restrict yourself.

The batch file is only needed if you know UEFI lock is enabled. It doesn't hurt to run it.
But if you don't have the batch file, you can disable Secure Boot and restart Windows TWICE in a row.
 

My Computer

System One

  • OS
    Windows 7
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom